urllib3 vulnerability GHSA-34jh-p97f-mpxf

[Cookiehook]

A vulnerability has been found and patched in urllib3: GHSA-34jh-p97f-mpxf
Datadog-lambda has an explicit pin of version <2.1.0 urllib3: https://github.com/DataDog/datadog-lambda-python/blob/main/pyproject.toml#L34

This is preventing us from remediating the vulnerability in our applications, as poetry cannot resolve to install datadog-lambda-python and urllib3 2.2.2.

Could you please update your dependencies to allow the security patch in urllib3 2.2.2 to be included in the installation?

Specifications

• Datadog Lambda Layer version: 6.97.0
• Python version: 3.12

[astuyve]

Hi @Cookiehook - thanks for the note! We had made this pin because of botocore as per the pr. If this has been fixed upstream, we can remove the restriction entirely.

[Cookiehook]

Hi @astuyve ,
From what I can see, the restriction in botocore has been lifted in March this year:

• Add support for urllib3 2.2.1 boto/botocore#3138
• https://github.com/boto/botocore/pull/3141/files

I won't pretend to understand the details of the datadog-lambda-python package or your testing procedures, but this looks to me like you can un-pin and re-test and this should work.

[astuyve]

Hi @Cookiehook - this is now released in v6.98.

Best!